1. Technical Field
This disclosure relates generally to security systems for computer networks.
2. Background of the Related Art
Computers are subject to many kinds of attacks, for example, attacks that are mounted by parties commonly known as hackers. A vandal such as a hacker may attempt to intrude upon a computer to steal information in an act of industrial espionage, or to implant a virus, or to alter records to the detriment or benefit of someone's interests or reputation. To combat such activities, computers may be monitored and protected by intrusion detection systems. An Intrusion Detection System (IDS) is a device or system that monitors a computer network and identifies potential threats.
Internet Protocol (IP) address “reputation” is an important concept in intrusion detection, and it is known that IDS software may be alerted about certain suspect IP addresses by an IP reputation service In particular, an IP reputation service hosts information associated with various IP addresses that have been identified to host suspect content including, without limitation, malware, phishing content, and/or spam. While an IDS typically does act to mitigate threats, the information provided by the IP reputation service provides additional capability to allow the IDS to block or warn end-users that particular IP addresses that are serving a request have been identified to host such content. It allows IDS software to be alerted by an IP reputation service when a suspect IP address (or URL) needs to have a “warning rating.” For example, an IP address might have been the source of spam, or malware, or it may have been part of a botnet system or involved in some sort of other attack. The IP reputation service gives a warning rating to the IP address (or URL) which, in turn, warns its clients (typically IDS systems) to be careful with that IP address or URL.
A limitation of such IP reputation systems currently in practice, however, is that they are centrally managed and distributed. Usually, a vendor of the IDS software watches for suspect IP addresses and warns its IDS software clients about those reputation problems through a proprietary notification service. The use of a single central system, however, is a slow way to discover and propagate important IP reputation information. Indeed, with such centralized approaches, many client systems may be unnecessarily affected by rogue sources while waiting to be updated. For example, if a problem detected by an intrusion detection system in a network is not propagated to other IDSs in the same network immediately, there is a potential opening for an attack vector to get through to another device, perhaps using a different technique. This is particularly worrisome given the increasing incidents of Advanced Persistent Threats (APTs), where attacks to any particular network target are purposely designed to be “lightweight” and hard to detect. Indeed, often it is the analysis and combining of these “lightweight” events, potentially in real-time, that can provide a clue to true network vulnerabilities.
One known solution to this problem is for an intrusion detection system in the network to raise an alert to a Security Incident and Event Management (SIEM) system, which provides a central “command and control” style console; this approach, however, relies on human intervention to decide if multiple events constitute an organized attack. In most cases, these events are normally reviewed well after-the-fact, and it is very difficult for manual analysis to pick up a pattern, especially given that APTs raise only very low level events in IDSs.